URL Filtering Based On URIs on Palo Alto Firewalls
We get some requests such as blocking the base domain and to only allow certain pages on websites based on the URIs — that which comes after the “/” e.g.
hostname.com – block
hostname.com/page2 – allow
You need the URL filtering license to be able to do this.
Initially, I tried it with a single policy which failed, then using two policies you can get the exact filtering.
I am using Daniel Miessler’s blog for demonstration. We will allow /blog, /popular, and /study and block the base hostname.
danielmiessler.com – block
And these to be allowed with everything being blocked.
Note: open the images in a new tab for larger sizes
Create a custom object URL category of paths to allow
Repeat this for the base domain to be blocked
Add them to URL filtering objects and set the proper Actions.
Note the actions, getting them right is the most important here.
Create both security policies to allow the paths and to deny the base domain
The final policy order with allow rule before the deny one.
And that’s all there is to it folks! You can try other variations of this, I’ll update the post if I come across something.